How to link specific ports to specific domains with Apache virtual hosts?

Posted by theJoe on Server Fault See other posts from Server Fault or by theJoe
Published on 2012-06-27T14:53:36Z Indexed on 2012/06/27 15:17 UTC
Read the original article Hit count: 197

Filed under:
|
|

We have a forward-facing linux box running Apache HTTP server that is acting as a reverse proxy for several back-end servers. The servers are accessed through specific domain names and ports and are set up as virtual hosts within Apache as such:

Listen 8001
Listen 8002

<Virtualhost *:8001>
    ServerName service.one.mycompany.com

    ProxyPass / http://internal.one.mycompany.com:8001/
    ProxyPassReverse / http://internal.one.mycompany.com:8001/

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
</Virtualhost>

<Virtualhost *:8002>
    ServerName service.two.mycompany.com

    ProxyPass / http://internal.two.mycompany.com:8002/
    ProxyPassReverse / http://internal.two.mycompany.com:8002/

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
</Virtualhost>

The proxy server has only one IP address, and both domains are pointing to it. Accessing internal.one via service.one works fine, as does accessing internal.two via service.two.

Now the problem is that Apache does not take the requesting domain into account when accessing the virtual hosts. What I mean is that both domains work for both ports: requests for service.one:8002 proxies to internal.two:8002, and requests for service.two:8001 proxies to internal.one:8001, where ideally both these requests should be denied.

I can get around this by creating more virtual hosts that explicitly deny these requests:

NameVirtualHost *:8001
NameVirtualHost *:8002

<Virtualhost *:8001>
        ServerName service.two.mycompany.com
        Redirect permanent / http://errorpage.mycompany.com/
</Virtualhost>
<Virtualhost *:8002>
        ServerName service.one.mycompany.com
        Redirect permanent / http://errorpage.mycompany.com/
</Virtualhost>

But this is not an ideal solution, since we plan to add more services to the proxy, and each new port would need to be explicitly denied on all the other domains, and each new domain would need to be explicitly denied on all ports it is not utilizing. As we add more services, the number of virtual hosts can get out of hand quickly.

My question, then, is whether there is a better way? Can we explicitly tie specific ports to specific domains in a virtual host so that only that domain-port combination is processed, and all other combinations are not?

Things I’ve tried:

  • Adding NameVirtualHost *:8001, etc. without the additional virtual hosts.
  • Setting ProxyRequests On and Off, as well as ProxyPreserveHost On and Off
  • Adding the server name or IP address to the virtual host header, e.g. <VirtualHost service.one.mycompany.com:8001>
  • Using the <proxy> directive inside the virtual host directive.
  • Lots and lots of googling.

The proxy server is running CentOS 6.2 64-bit, Apache HTTPD server 2.2.15. As mentioned, the proxy server has only one IP address, and all the domains we are using are pointing to it.

© Server Fault or respective owner

Related posts about linux

Related posts about apache2